A company wants to migrate a workload to AWS. The chief information security officer requires that all data be encrypted at rest when stored in the cloud. The company wants complete control of encryption key lifecycle management.
The company must be able to immediately remove the key material and audit key usage independently of AWS CloudTrail. The chosen services should integrate with other storage services that will be used on AWS.
Which services satisfies these security requirements?

A. AWS CloudHSM with the CloudHSM client B. AWS Key Management Service (AWS KMS) with AWS CloudHSM C. AWS Key Management Service (AWS KMS) with an external key material origin D. AWS Key Management Service (AWS KMS) with AWS managed customer master keys (CMKs)